search

nextcloud / files_antivirus

👾 Antivirus app for Nextcloud Files
https://apps.nextcloud.com/apps/files_antivirus
GNU Affero General Public License v3.0
81 stars 33 forks source link

Background scan finds infected file but does not delete it. #266

Closed doftnet closed 1 year ago

doftnet commented 1 year ago

Steps to reproduce

  1. create virus.txt with EICAR test string
  2. wait until background scan runs
  3. get notification that infected file was found and deleted.

Expected behaviour

The file should no longer exist

Actual behaviour

The file remains, and is detected again the next time a background scan runs. Error gets logged, and a cron notification gets sent to local mailbox

Server configuration

Operating system: OpenSUSE Tumbleweed 20230116

Web server: Apache 2.4.54

Database: PostgreSQL 14.6

PHP version: 8.1.14

Nextcloud version: 24.0.9

Where did you install Nextcloud from: Sources from Nextcloud

List of activated apps:

  - accessibility: 1.10.0
  - activity: 2.16.0
  - admin_audit: 1.14.0
  - apporder: 0.15.0
  - audioplayer: 3.3.1
  - bookmarks: 11.0.4
  - bruteforcesettings: 2.4.0
  - calendar: 3.5.4
  - checksum: 1.2.0
  - circles: 24.0.1
  - cloud_federation_api: 1.7.0
  - cms_pico: 1.0.20
  - comments: 1.14.0
  - contacts: 4.2.3
  - contactsinteraction: 1.5.0
  - cospend: 1.4.10
  - dashboard: 7.4.0
  - dav: 1.22.0
  - dicomviewer: 1.2.4
  - duplicatefinder: 0.0.15
  - event_update_notification: 2.0.0
  - external: 4.0.1
  - extract: 1.3.5
  - federatedfilesharing: 1.14.0
  - federation: 1.14.0
  - files: 1.19.0
  - files_antivirus: 4.0.2
  - files_downloadactivity: 1.15.0
  - files_external: 1.16.1
  - files_fulltextsearch: 24.0.1
  - files_fulltextsearch_tesseract: 24.0.0
  - files_markdown: 2.3.6
  - files_pdfviewer: 2.5.0
  - files_rightclick: 1.3.0
  - files_sharing: 1.16.2
  - files_texteditor: 2.15.0
  - files_trackdownloads: 1.11.0
  - files_trashbin: 1.14.0
  - files_versions: 1.17.0
  - fileslibreofficeedit: 1.1.0
  - firstrunwizard: 2.13.0
  - forms: 2.5.1
  - fulltextsearch: 24.0.0
  - fulltextsearch_elasticsearch: 24.0.1
  - impersonate: 1.11.0
  - integration_reddit: 1.0.5
  - integration_twitter: 1.0.3
  - ldap_write_support: 1.6.0
  - logreader: 2.9.0
  - lookup_server_connector: 1.12.0
  - maps: 0.2.2
  - metadata: 0.17.0
  - nextcloud_announcements: 1.13.0
  - notifications: 2.12.1
  - oauth2: 1.12.0
  - occweb: 0.1.0
  - openhab: 0.12.0
  - password_policy: 1.14.0
  - passwords: 2022.12.21
  - passwords_handbook: 2023.1.23
  - phonetrack: 0.7.4
  - photos: 1.6.0
  - previewgenerator: 5.1.1
  - privacy: 1.8.0
  - provisioning_api: 1.14.0
  - recommendations: 1.3.0
  - richdocuments: 6.3.3
  - serverinfo: 1.14.0
  - settings: 1.6.0
  - sharebymail: 1.14.0
  - socialsharing_diaspora: 2.5.0
  - socialsharing_email: 2.5.0
  - socialsharing_facebook: 2.5.0
  - socialsharing_twitter: 2.5.0
  - spreed: 14.0.8
  - support: 1.7.0
  - survey_client: 1.12.0
  - systemtags: 1.14.0
  - tasks: 0.14.5
  - telephoneprovider: 1.0.3
  - theming: 1.15.0
  - transfer: 0.6.0
  - twofactor_backupcodes: 1.13.0
  - twofactor_email: 2.7.1
  - twofactor_gateway: 0.20.0
  - twofactor_nextcloud_notification: 3.4.0
  - twofactor_totp: 6.4.1
  - updatenotification: 1.14.0
  - user_ldap: 1.14.1
  - user_status: 1.4.0
  - viewer: 1.8.0
  - weather_status: 1.4.0
  - welcome: 1.0.6
  - workflowengine: 2.6.0

Nextcloud configuration:

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "*.doft.net",
            "doft.net",
            "doftnet.enterprises"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "pgsql",
        "version": "24.0.9.2",
        "overwrite.cli.url": "https:\/\/cloud.doft.net",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "5432",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "lost_password_link": "https:\/\/doft.net\/password",
        "mail_smtpmode": "smtp",
        "mail_smtpsecure": "tls",
        "mail_sendmailmode": "smtp",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpauth": 1,
        "mail_smtpauthtype": "PLAIN",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "587",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 6379,
            "dbindex": 0,
            "password": "***REMOVED SENSITIVE VALUE***"
        },
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "ldapIgnoreNamingRules": false,
        "ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory",
        "maintenance": false,
        "theme": "",
        "loglevel": "2",
        "app_install_overwrite": [
            "occweb",
            "beame_insta_ssl",
            "cms_pico",
            "telephoneprovider",
            "dicomviewer",
            "twofactor_email",
            "files_texteditor",
            "previewgenerator",
            "socialsharing_diaspora",
            "socialsharing_email",
            "socialsharing_facebook",
            "socialsharing_twitter",
            "files_trackdownloads",
            "openhab",
            "ldap_write_support"
        ],
        "updater.release.channel": "stable",
        "encryption.key_storage_migrated": false,
        "default_phone_region": "US",
        "simpleSignUpLink.shown": false
    }
}

Client configuration

Browser: N/A - background scan

Operating system: N/A - background scan

Logs

Nextcloud log (data/owncloud.log)

{"reqId":"aIo6OWiCbxfFupUHcpFC","level":3,"time":"2023-01-19T06:35:07+00:00","remoteAddr":"","user":"--","app":"files_antivirus","method":"","url":"--","message":"Infected file deleted (during background scan) Win.Test.EICAR_HDB-1 File: 1980580 Account: doft Path: /doft/files/virus.txt","userAgent":"--","version":"24.0.9.2","data":{"app":"files_antivirus"}}
{"reqId":"aIo6OWiCbxfFupUHcpFC","level":3,"time":"2023-01-19T06:35:07+00:00","remoteAddr":"","user":"--","app":"cron","method":"","url":"--","message":"Typed property OCA\\Files_Antivirus\\Item::$appManager must not be accessed before initialization","userAgent":"--","version":"24.0.9.2","exception":{"Exception":"Error","Message":"Typed property OCA\\Files_Antivirus\\Item::$appManager must not be accessed before initialization","Code":0,"Trace":[{"file":"/srv/www/htdocs/nextcloud/apps/files_antivirus/lib/Item.php","line":113,"function":"deleteFile","class":"OCA\\Files_Antivirus\\Item","type":"->"},{"file":"/srv/www/htdocs/nextcloud/apps/files_antivirus/lib/Status.php","line":165,"function":"processInfected","class":"OCA\\Files_Antivirus\\Item","type":"->"},{"file":"/srv/www/htdocs/nextcloud/apps/files_antivirus/lib/BackgroundJob/BackgroundScanner.php","line":314,"function":"dispatch","class":"OCA\\Files_Antivirus\\Status","type":"->"},{"file":"/srv/www/htdocs/nextcloud/apps/files_antivirus/lib/BackgroundJob/BackgroundScanner.php","line":110,"function":"scanOneFile","class":"OCA\\Files_Antivirus\\BackgroundJob\\BackgroundScanner","type":"->"},{"file":"/srv/www/htdocs/nextcloud/lib/public/BackgroundJob/Job.php","line":79,"function":"run","class":"OCA\\Files_Antivirus\\BackgroundJob\\BackgroundScanner","type":"->"},{"file":"/srv/www/htdocs/nextcloud/lib/public/BackgroundJob/TimedJob.php","line":95,"function":"execute","class":"OCP\\BackgroundJob\\Job","type":"->"},{"file":"/srv/www/htdocs/nextcloud/cron.php","line":152,"function":"execute","class":"OCP\\BackgroundJob\\TimedJob","type":"->"}],"File":"/srv/www/htdocs/nextcloud/apps/files_antivirus/lib/Item.php","Line":200,"CustomMessage":"--"}}

Cron Notification

Error: Typed property OCA\Files_Antivirus\Item::$appManager must not be accessed before initialization in /<nextcloud-path>/apps/files_antivirus/lib/Item.php:200
Stack trace:
#0 /<nextcloud-path>/apps/files_antivirus/lib/Item.php(113): OCA\Files_Antivirus\Item->deleteFile()
#1 /<nextcloud-path>/apps/files_antivirus/lib/Status.php(165): OCA\Files_Antivirus\Item->processInfected()
#2 /<nextcloud-path>/apps/files_antivirus/lib/BackgroundJob/BackgroundScanner.php(314): OCA\Files_Antivirus\Status->dispatch()
#3 /<nextcloud-path>/apps/files_antivirus/lib/BackgroundJob/BackgroundScanner.php(110): OCA\Files_Antivirus\BackgroundJob\BackgroundScanner->scanOneFile()
#4 /<nextcloud-path>/lib/public/BackgroundJob/Job.php(79): OCA\Files_Antivirus\BackgroundJob\BackgroundScanner->run()
#5 /<nextcloud-path>/lib/public/BackgroundJob/TimedJob.php(95): OCP\BackgroundJob\Job->execute()
#6 /<nextcloud-path>/cron.php(152): OCP\BackgroundJob\TimedJob->execute()
#7 {main}
juliushaertl commented 1 year ago

Patch is in https://github.com/nextcloud/files_antivirus/pull/267

Testing is very welcome :)

doftnet commented 1 year ago

Slaps "easy" button...

Applied and waiting for the next background scan; results forthcoming.

doftnet commented 1 year ago

Confirmed. Test file actually deleted. Second copy of test file was also found and deleted as well.